VPN's: Ready for More than Simple Remote Access?

By now, organizations with plenty of telecommuters aren't strangers to VPN's but network managers are finding possibilities and problems as they expand the VPN's role.

Although mission critical applications are waiting in the wings, VPN
deployments still revolve mainly around remote access. Security and other
management issues are things to be reckoned with, though, regardless of the
type of VPN implementation.

"Network managers are accustomed to running data over private networks.
They're looking at VPNs and saying, 'I'm only going to use them for remote
access," says Kathryn Korostoff, president of analyst firm Sage Research.

To reach that goal, however, many organizations will need to either replace
or integrate existing "hodgepodges of different equipment and different
methodologies" or outsource VPNs to service providers, according to
Detroia.

"You can almost say that every multinational is in a position where they
can use help," Detroia said, during the recent Internet World show in Los
Angeles.

Beyond the mission-critical and remote access categories, other VPN
applications in varying stages of deployment include VoIP, wireless LANs,
Internet access, and business partner trading extranets.

For remote access, VPN appliances with built-in multitiered security are
typically more than adequate to do the job, suggests Andrew Savage, senior
product manager, alignment and security, in Avaya's WAN Wireless Security
Group. Administrators can configure levels of encryption and authentication
according to the sensitivity of the data.

"The security doesn't have to be 'James Bond, where you hit an eyeball
scanner," Savage observes.

Even with remote access applications, though, many consultants are
advocating increased security. Jonathan Spira, chief analyst for the Basex
Group, points to the need for firewall and intrusion detection hardware or
software at remote end points, including telecommuters' home PCs or
laptops.

For telecommuters with always on connections, Detroia "highly recommends a
very comprehensive firewall," so as to prevent intruders from compromising
secure tunnels and possibly "wreaking havoc" on corporate nets.

Firewalls are particularly crucial for end users accessing VPNs through
cable networks, as opposed to dial-up or DSL connections, notes John
O'Keefe, CEO and CTO for Fine Point Technologies, Inc.

Wireless LANs also need extra protection, according to Spira. Wireless
protocols such as WEP, LEAP, and TLA amount to "garbage mechanisms" without
the addition of IPsec, Savage agrees.

Increasingly, VPN appliances are integrating firewalls and intrusion
detection. Administrators can also use turn to separate software packages
from companies like ZoneLabs and NetScreen.

For mission critical and VoIP deployments, though, network administrators
are still looking for "proof points," according to Sage's Korostoff, a
speaker at the recent Service Networks conference.

"You can talk to network managers all you want about tunnelling and IPsec.
They're just fundamentally uncomfortable about putting proprietary
information over anything that's shared. Network managers also have
lingering concerns about performance issues. The quality of their work life
depends on how many angry phone calls they get," she said afterward. Sage
conducts ongoing research among network managers.

Outside of security and performance, other management issues include
usability, IPsec interoperability, and administration of distributed VPNs.
"Interoperability has been a big deal within IPsec for a long time,"
according to Avaya's Savage.

At this point, products certified by groups such as ICSA Labs and the VPN
Consortium are largely interoperable, Savage says. Still, some tweaking
might be required in more complex deployments, such as those relying on
Triple DES encryption.

AT&T is now teaming with Radware in an offering called AT&T Managed
Internet Service with Access Redundancy. The solution integrates Radware's
LinkProof multi-link traffic manager.

For usability's sake, AT&T has redesigned its VPN client. With version 5 of
its dialer, AT&T's intent is to "shield end users from the magic" of cable,
DSL, IPsec, and firewalls, according to Detroia. AT&T's firewall software
is available as an add-on.

Usable interfaces can also help to cut costs for customers, by minimizing
the need for employee training. "People just want to 'click,' and that's
it. You don't want to have to retrain your staff," Savage says.

SLAs constitute the best kind of proof point for running mission critical
data over VPNs, according to Korostoff. "The SLA is just about the only
thing a service provider can do. Through the SLA, (the provider) can show
you that you're getting private network-like performance, or that your data
is secure."